linkerd2

edge-23.12.4

This edge release includes fixes and improvements to the destination
controller's endpoint resolution API.

• Fixed an issue in the control plane where discovery for pod IP addresses could
  hang indefinitely (#11815)
• Updated the proxy to enforce time limits on control plane response streams so
  that proxies more naturally distribute load over control plane replicas
  (#11837)
• Fixed the policy's controller service metadata responses so that proxy logs
  and metrics have informative values (#11842)

edge-23.12.3

This edge release contains improvements to the logging and diagnostics of the
destination controller.

• Added a control plane metric to count errors talking to the Kubernetes API
  (#11774)
• Fixed an issue causing spurious destination controller error messages for
  profile lookups on unmeshed pods with port in default opaque list (#11550)

stable-2.14.7

This stable release fixes two bugs in the Linkerd control plane.

• Fixed an issue in the destination controller where the metadata API was not
  properly initialized for jobs, leading to error messages and unnecessary API
  calls (#11541)
• Fixed an issue in the policy controller where it was overriding statuses on
  HTTPRoute resources from other controllers (#11705)

edge-23.12.2

This edge release includes a restructuring of the proxy's balancer along with
accompanying new metrics. The new minimum supported Kubernetes version is 1.22.

• Restructured the proxy's balancer (#11750): balancer changes may now occur
  independently of request processing. Fail-fast circuit breaking is enforced on
  the balancer's queue so that requests can't get stuck in a queue indefinitely.
  This new balancer is instrumented with new metrics: request (in-queue) latency
  histograms, failfast states, discovery updates counts, and balancer endpoint
  pool sizes.
• Changed how the policy controller updates HTTPRoute status so that it doesn't
  affect statuses from other non-linkerd controllers (#11705; fixes #11659)

stable-2.14.6

This stable release back-ports bugfixes and improvements from recent edge
releases.

• multicluster: Added an imagePullSecrets configuration to
  linkerd-multicluster Helm chart (thanks @lhaussknecht!). (#11287)
• multicluster: Updated the service mirror to support gateways exposed on
  multiple IP addresses (thanks @MrFreezeex!) (#11499)
• Updated control plane logging so that client-go may emit error logs. This will
  also ensures that all logs are emitted in JSON when the json log format is
  enabled. (#11632)
• Added kubeAPI.clientBurst and kubeAPI.clientQPS configurations that allow
  users to configure the burst and QPS rate limits for the Kubernetes API
  clients used by the control plane. The default burst and qps values are now
  set at 200 and 100, respectively. The prior defaults limited bursts 10 and QPS
  to 5, which could cause throttling issues in clusters that schedule many pods
  quickly. (#11644)
• viz: Update the default prometheus version to v2.48.0. (#11633)

edge-23.12.1

This edge release introduces new configuration values in the identity
controller for client-go's QPS and Burst settings. Default values for these
settings have also been raised from 5 (QPS) and 10 (Burst) to 100 and
200 respectively.

• Added namespaceSelector fields for the tap-injector and jaeger-injector
  webhooks. The webhooks are now configured to skip kube-system by default
  (#11649; fixes #11647) (thanks @mikutas!)
• Added the ability to configure client-go's QPS and Burst settings in the
  identity controller (#11644)
• Improved client-go logging visibility throughout the control plane's
  components (#11632)
• Introduced PodDisruptionBudgets in the linkerd-viz Helm chart for tap and
  tap-injector (#11628; fixes #11248) (thanks @mcharriere!)

stable-2.14.5

This stable release fixes a proxy regression where bursts of TCP connections
could result in EOF errors, due to an incorrect queue capacity. In addition, it
includes fixes for the control plane, dependency upgrades, and support for image
digests in Linkerd manifests.

• Added a controlPlaneVersion override to the linkerd-control-plane Helm chart
  to support including SHA256 image digests in Linkerd manifests (thanks
  @cromulentbanana!) (#11406; fixes #11312)
• Added a checksum/config annotation to the destination and proxy injector
  deployment manifests, to force restarting those workloads whenever their
  webhook secrets change during upgrade (thanks @iAnomaly!) (#11440; fixes
  #6940)
• Updated the Policy controller's OpenSSL dependency to v3, as OpenSSL 1.1.1 is
  EOL (#11625)
• proxy: Increased DEFAULT_OUTBOUND_TCP_QUEUE_CAPACITY to prevent EOF errors
  during bursts of TCP connections (proxy PR #2521)

edge-23.11.4

This edge release introduces support for the native sidecar containers entering
beta support in Kubernetes 1.29. This improves the startup and shutdown ordering
for the proxy relative to other containers, fixing the long-standing
shutdown issue with injected Jobs. Furthermore, traffic from other
initContainers can now be proxied by Linkerd.

In addition, this edge release includes Helm chart improvements, and improvements
to the multicluster extension.

• Added a new config.alpha.linkerd.io/proxy-enable-native-sidecar annotation
  and Proxy.NativeSidecar Helm option that causes the proxy container to run
  as an init-container (thanks @teejaded!) (#11465; fixes #11461)
• Fixed broken affinity rules for the multicluster service-mirror when running
  in HA mode (#11609; fixes #11603)
• Added a new check to linkerd check that ensures all extension namespaces are
  configured properly (#11629; fixes #11509)
• Updated the Prometheus Docker image used by the linkerd-viz extension to
  v2.48.0, resolving a number of CVEs in older Prometheus versions (#11633)
• Added nodeAffinity to deployment templates in the linkerd-viz and
  linkerd-jaeger Helm charts (thanks @naing2victor!) (#11464; fixes
  #10680)

edge-23.11.3

This edge release fixes a bug where Linkerd could cause EOF errors during bursts
of TCP connections.

• Fixed a bug where the linkerd multicluster link command's
  --gateway-addresses flag was not respected when a remote gateway exists
  (#11564)
• proxy: Increased DEFAULT_OUTBOUND_TCP_QUEUE_CAPACITY to prevent EOF errors
  during bursts of TCP connections

stable-2.14.4

This stable release improves observability for the control plane by adding
additional logging to the destination controller and by adding histograms which
can detect Kubernetes informer lag. It also adds the ability to configure
protocol detection.

• Improved logging in the destination controller by adding the client pod's
  name to the logging context. This will improve visibility into the messages
  sent and received by the control plane from a specific proxy (#11532)
• helm: Introduce configurable values for protocol detection (#11536)
• Fixed an issue where the Destination controller could stop processing service
  profile updates, if a proxy subscribed to those updates stops reading them;
  this is a followup to the issue [#11491] fixed in stable-2.14.2 (#11546)
• In the Destination controller, added informer lag histogram metrics to track
  whenever the Kubernetes objects watched by the controller are falling behind
  the state in the kube-apiserver (#11534)
• proxy: Fix grpc_status metric labels for inbound traffic

edge-23.11.2

This edge release contains observability improvements and bug fixes to the
Destination controller, and a refinement to the multicluster gateway resolution
logic.

• Fixed an issue where the Destination controller could stop processing service
  profile updates, if a proxy subscribed to those updates stops reading them;
  this is a followup to the issue [#11491] fixed in edge-23.10.3 (#11546)
• In the Destination controller, added informer lag histogram metrics to track
  whenever the Kubernetes objects watched by the controller are falling behind
  the state in the kube-apiserver (#11534)
• In the multicluster service mirror, extended the target gateway resolution
  logic to take into account all the possible IPs a hostname might resolve to,
  rather than just the first one (thanks @MrFreezeex!) (#11499)
• Added probes to the debug container to appease environments requiring probes
  for all containers (#11308)

stable-2.14.3

This stable release fixes an issue in the Destination controller that was
forbidding to route traffic to opaque ports on unmeshed pods. Also, it increases
the log level from debug to warning when the outbound proxy faces this type of
events.

• Fixed GetProfiles error in the Destination controller when address is opaque
  and unmeshed (#11556, fixes#11555)
• Started logging at warning level in the proxy when the controller clients
  receive an error (#2499)

edge-23.11.1

This edge release fixes two bugs in the Destination controller that could cause
outbound connections to hang indefinitely.

• helm: Introduce configurable values for protocol detection (#11536)
• destination: Fix GetProfiles error when address is opaque and unmeshed (#11556)
• destination: Return NotFound for unknown pod names (#11540)
• proxy: Log controller errors at WARN
• proxy: Fix grpc_status metric labels for inbound traffic

edge-23.10.4

This edge release includes a fix for the ServiceProfile CRD resource schema.
The schema incorrectly required not response matches to be arrays, while the
in-cluster validator parsed not response matches as objects. In addition, an
issues has been fixed in linkerd profile. When used with the --open-api
flag, it would not strip trailing slashes when generating a resource from
swagger specifications.

• Fixed an issue where trailing slashes wouldn't be stripped when generating
  ServiceProfile resources through linkerd profile --open-api (#11519)
• Fixed an issue in the ServiceProfile CRD schema. The schema incorrectly
  required that a not response match should be an array, which the service
  profile validator rejected since it expected an object. The schema has been
  updated to properly indicate that not values should be an object (#11510;
  fixes #11483)
• Improved logging in the destination controller by adding the client pod's
  name to the logging context. This will improve visibility into the messages
  sent and received by the control plane from a specific proxy (#11532)
• Fixed an issue in the destination controller where the metadata API would not
  initialize a Job informer. The destination controller uses the metadata API
  to retrieve Job metadata, and relies mostly on informers. Without an
  initialized informer, an error message would be logged, and the controller
  relied on direct API calls (#11541; fixes #11531)

stable-2.14.2

This stable release fixes issues in the proxy and Destination controller which
can result in Linkerd proxies sending traffic to stale endpoints. In addition,
it contains a bug fix for profile resolutions for pods bound on host ports and
includes patches for security advisory CVE-2023-44487/GHSA-qppj-fm5r-hxr3

• Control Plane

  • Fixed an issue where the Destination controller could stop processing
    changes in the endpoints of a destination, if a proxy subscribed to that
    destination stops reading service discovery updates. This issue results in
    proxies attempting to send traffic for that destination to stale endpoints
    (#11491, fixes #11480, #11279, #10590)
  • Fixed an issue where the Destination controller would not update pod
    metadata for profile resolutions for a pod accessed via the host network
    (e.g. HostPort endpoints) (#11334)
  • Addressed CVE-2023-44487/GHSA-qppj-fm5r-hxr3 by upgrading several
    dependencies (including Go's gRPC and net libraries)

• Proxy

  • Fixed a regression where the proxy rendered grpc_status metric labels as
    a string rather than as the numeric status code (linkerd2-proxy#2480;
    fixes #11449)
  • Fixed a regression introduced in stable-2.13.0 where proxies would not
    terminate unused service discovery watches, exerting backpressure on the
    Destination controller, potentially causing it to become
    stuck (linkerd2-proxy#2484)

edge-23.10.3

This edge release fixes issues in the proxy and Destination controller which can
result in Linkerd proxies sending traffic to stale endpoints. In addition, it
contains other bugfixes and updates dependencies to include patches for the
security advisories CVE-2023-44487/GHSA-qppj-fm5r-hxr3 and GHSA-c827-hfw6-qwvm.

• Fixed an issue where the Destination controller could stop processing
  changes in the endpoints of a destination, if a proxy subscribed to that
  destination stops reading service discovery updates. This issue results in
  proxies attempting to send traffic for that destination to stale endpoints
  (#11483, fixes #11480, #11279, and #10590)
• Fixed a regression introduced in stable-2.13.0 where proxies would not
  terminate unused service discovery watches, exerting backpressure on the
  Destination controller which could cause it to become stuck
  (linkerd2-proxy#2484 and linkerd2-proxy#2486)
• Added INFO-level logging to the proxy when endpoints are added or removed
  from a load balancer. These logs are enabled by default, and can be disabled
  by setting the proxy log level to
  warn,linkerd=info,linkerd_proxy_balance=warn or similar
  (linkerd2-proxy#2486)
• Fixed a regression where the proxy rendered grpc_status metric labels as a
  string rather than as the numeric status code (linkerd2-proxy#2480; fixes
  #11449)
• Extended linkerd-jaeger's imagePullSecrets Helm value to also apply to
  the namespace-metadata ServiceAccount (#11504)
• Updated the control plane's dependency on the golang.google.org/grpc Go
  package to include patches for CVE-2023-44487/GHSA-qppj-fm5r-hxr3 ([#11496])
• Updated dependencies on rustix to include patches for GHSA-c827-hfw6-qwvm
  (linkerd2-proxy#2488 and #11512).

edge-23.10.2

This edge release includes a fix addressing an issue during upgrades for
instances not relying on automated webhook certificate management (like
cert-manager provides).

• Added a checksum/config annotation to the destination and proxy injector
  deployment manifests, to force restarting those workloads whenever their
  webhook secrets change during upgrade (thanks @iAnomaly!) (#11440)
• Fixed policy controller error when deleting a Gateway API HTTPRoute resource
  (#11471)

edge-23.10.1

This edge release adds additional configurability to Linkerd's viz and
multicluster extensions.

• Added a podAnnotations Helm value to allow adding additional annotations to
  the Linkerd-Viz Prometheus Deployment (#11365) (thanks @cemenson)
• Added imagePullSecrets Helm values to the multicluster chart so that it can
  be installed in an air-gapped environment. (#11285) (thanks @lhaussknecht)

edge-23.9.4

This edge release makes Linkerd even better.

• Added a controlPlaneVersion override to the linkerd-control-plane Helm chart
  to support including SHA256 image digests in Linkerd manifests (thanks
  @cromulentbanana!) (#11406)
• Improved linkerd viz check to attempt to validate that the Prometheus scrape
  interval will work well with the CLI and Web query parameters (#11376)
• Improved CLI error handling to print differentiated error information when
  versioncheck.linkerd.io cannot be resolved (thanks @dtaskai) (#11377)
• Fixed an issue where the destination controller would not update pod metadata
  for profile resolutions for a pod accessed via the host network (e.g.
  HostPort endpoints) (#11334).
• Added a validating webhook config for httproutes.gateway.networking.k8s.io
  resources (thanks @mikutas!) (#11150)
• Introduced a new multicluster check --timeout flag to limit the time
  allowed for Kubernetes API calls (thanks @moki1202) (#11420)

stable-2.13.7

This stable release backports two fixes that address security
vulnerabilities. The proxy's dependency on the webpki library has been updated
to patch RUSTSEC-2023-0052, a potential CPU usage denial-of-service attack
when accepting a TLS handshake from an untrusted peer. In addition, the CNI and
proxy-init images have been updated to patch CVE-2023-2603 surfaced in the
runtime image's libcap library. Finally, the release contains a backported fix
for service discovery on endpoints that use hostPorts which could potentially
disrupt connections on pod restarts.

• Control Plane

  • Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts (#11328)

• Proxy

  • Addressed security vulnerability RUSTSEC-2023-0052 (#11389)

• CNI

  • Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI
    plugin (#11348)